Log Event Extended Format (LEEF)

NXLog Enterprise Edition can be configured to collect or forward logs in the LEEF format.

The LEEF log format is used by IBM Security QRadar products and supports Syslog as a transport. It describes an event using key-value pairs, and provides a list of predefined event attributes. Additional attributes can be used for specific applications.

Basic LEEF syntax
SYSLOG_HEADER LEEF_HEADER|EVENT_ATTRIBUTES

The LEEF_HEADER part contains the following pipe-delimited fields.

  • LEEF version

  • Vendor

  • Product name

  • Product version

  • Event ID

  • Optional delimiter character, as the character or its hexadecimal value prefixed by 0x or x (LEEF version 2.0)

The EVENT_ATTRIBUTES part contains a list of key-value pairs separated by a tab or the delimiter specified in the LEEF header.

Full LEEF syntax
Oct 11 11:27:23 myserver LEEF:Version|Vendor|Product|Version|EventID|Delimiter|src=192.168.1.1	dst=10.0.0.1

Collecting LEEF logs

NXLog Enterprise Edition can parse LEEF logs with the xm_leef module’s parse_leef() procedure.

Example 1. Accepting LEEF logs via TCP

With the following configuration, NXLog will accept LEEF logs via TCP, convert them to JSON, and output the result to file.

nxlog.conf
<Extension _json>
    Module  xm_json
</Extension>

<Extension _leef>
    Module  xm_leef
</Extension>

<Input in>
    Module  im_tcp
    Host    0.0.0.0
    Port    1514
    Exec    parse_leef();
</Input>

<Output out>
    Module  om_file
    File    '/var/log/json'
    Exec    to_json();
</Output>
Input sample
Oct 11 11:27:23 myserver LEEF:2.0|Microsoft|MSExchange|2013 SP1|15345|src=10.50.1.1	dst=2.10.20.20	spt=1200
Output sample
{
  "EventReceivedTime": "2016-10-11 11:27:24",
  "SourceModuleName": "in",
  "SourceModuleType": "im_file",
  "Hostname": "myserver",
  "LEEFVersion": "LEEF:2.0",
  "Vendor": "Microsoft",
  "SourceName": "MSExchange",
  "Version": "2013 SP1",
  "EventID": "15345"
}

Generating LEEF logs

NXLog Enterprise Edition can also generate LEEF logs, using the to_leef() procedure provided by the xm_leef extension module.

Example 2. Sending LEEF logs via TCP

With this configuration, NXLog will parse the input JSON format from file and forward it as LEEF via TCP.

nxlog.conf
<Extension _json>
    Module  xm_json
</Extension>

<Extension _leef>
    Module  xm_leef
</Extension>

<Input in>
    Module  im_file
    File    '/var/log/json'
    Exec    parse_json();
</Input>

<Output out>
    Module  om_tcp
    Host    10.12.0.1
    Port    514
    Exec    to_leef();
</Output>
Input sample
{
  "EventTime": "2016-09-13 11:23:11",
  "Hostname": "myserver",
  "Purpose": "test",
  "Message": "This is a test log message."
}
Output sample
<13>Sep 13 11:23:11 myserver LEEF:1.0|NXLog|in|3.0.1775|unknown|EventReceivedTime=2016-09-13 11:23:12	SourceModuleName=in	SourceModuleType=im_file	devTime=2016-09-13 11:23:11	identHostName=myserver	Purpose=test	Message=This is a test log message.	devTimeFormat=yyyy-MM-dd HH:mm:ss
Disclaimer

While we endeavor to keep the information in this topic up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here.

Last revision: 03 June 2019